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DNI sessions collected by X-KEYSCORE 



Data is indexed by the basic meta-data like 
IP Address, Country Codes Port, 
Casenotation, Application ID/Fingerprints 
etc 

If you’re only interested in content, Full Log 
will give you access to everything 
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many results in XKS to look through every 
piece of content by hand 

To be more efficient, it’s important to utilize 
the meta-data contained in the other search 
forms (E-mail Addresses, HTTP Activity, 
Extracted Files, Document Meta-data etc.) 
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HTTP Activity is essentially all web-based 
activity from a user’s internet browser (with 
some exceptions) 



It includes, web-surfing, Internet Searching 
(like Google), Mapping Website (Google 
Earth/Maps) etc. 



Most of this data will not contain a strong 
selector like E-mail address 
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HTTP Activity 




HTTP activity comes in two types: 




cnn.com Server 
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HTTP Activity Client-to-Server 





1 









GET ^3earcl»naEi=ur(iu*oi:deE = 3artJ30tJifiqfmu3harra^3t.aEt.=3*3cope=utclu*lirLfe=next.|KrTP/l. 1 
Acceot^ ^7* 

Referer 






Accept-Language^ en-us 
Ac c ep 



r 

jUser -Ag-entl Hozilla/4.Q (compatible; MSIE 6.0; Uindoifs CTT 5.1; SV1) 



Hl 

r< 






i 



Cookie! BBC-UID=b479a5f 4ad230a53063d513630203acb22634634a0e0bl64c45f 96ef c054c£950MoEilla%2f 4%2e0%20%23ct 



Cache-UontEQl: max-stale =u 



Host 

ITiTSTTFTTTB 1 

search.bbc.co.uk 



ri ■ i ■ i hi i ii nail hi in ■ ■■■ 



1 66303702E9A93546 | 




URL Path 


URL Args 



/search 



tab=urdu&order=SQrtbdh&q=musharraf&start=3£scope=urdu&link=next 



Search Terms 



Language 



■ i . i . 




Via 



musharraf 



TfTTrnrrrwwrnTrnTfWTm 



en 



Moiilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ; SV1 ) 66B08702E9A9B546 



■ m ■■■■ ■ 







Referer 



"2 ! ■ ■ ■ ■ ■ ■ ■ 



fiwmwinwi'iwi r MWWTOwnriTnTyg^^ 



http: //search .bbc .co ,uk/search?tab=urdu&order=sortbath&q=musharraf &start=2&scope=urclu 




. 

' 




BBC-UID=b479a5f4ad230a53063d51 3630203acb22684634a0e0b164c45f98efc054cf950Mozills%2f4%2e0%20%28com 











. 
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Full log contains basic information on every 
single DNI session XKS processes. 

HTTP activity contains more detailed 
information on the subset of that data which 
is web-based (aka port 80 “internet 
browser” traffic) 
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How the Search Forms Fit Together 



/ 




of all DNI sessions collected 
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Analysis of 14 May Internet session 
based target started in MARINA 




TS A TJSEEID PHOKE IJSER_A ACTIVITY USER_B 

20090514 132353Z /ahoo> logged in (im) 119^^| 

2 0 Q 9 0514 13 24 6Z otmail. c om<msnp assport> ^ logged in (im ) 119 

20090514 13241 9Z otmail. com<msnp as spori> -■■■>■ logged in (im) 119^^1 

20010514 132834Z otmad. com<msnpassport> V logged in (im) 1 

20090514 132843Z otmail. com<msnp as sp orfc> t# logged in (im) 119 

HsL 133517Z otmail. com<rnsnp as sport> & logged in (im! 119.^^| 

20090514 13352 2Z ^^^^^Siotmail. com<msnp assport> lo,gge d in (im ) 119 
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Ensure Activity on IP can be associated with 
Target 

Understand IP usage Dynamic/Static 

Research IP using Foxtrail/NKB 

Is it a Proxy, DVBLAN, Dial-Up, DSL, etc 

Is it Client to Server or Server to Client 

Still not sure? User Activity pull for 5 minute 
period on Foreign IP 
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Derived From: NSA/CSSM 1-52 

Dated: 20070108 
Declassify On: 20340601 






Request sent to Proxy Request sent to Server 



i: 




Response sent to User Response sent to Proxy 



• Performance: 

• Censorship: 

• Security: 

• Access-Control: 



Proxy can cache responses for static pages 

Proxy can filter traffic 

Proxy can look for malware 

Proxy can control access to restricted content 



Proxy can be run by 

• a user 

• an ISP 

• a web-hosting company 

• a content-delivery network (i.e. Akamai) 
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j 101 03001 
D m mini 
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Proxies on the Internet 



WE 



rv 



Web-Server 



Web-Servers 



0 



Short-lived connections 
Single-user 



Short-lived connections 
Multiple-users multiplexed 



The Internet 



Direct-Connect 



Mixed-Gateway 



roxy-to- Proxy 



Web-Servers 



Long-lived connections 
Multiple-users multiplexed 



I 



Cache 5 



National-Level Proxy 



User-to-Proxy 



mmnim 



mmi 



nmnnm 



mmnim 
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nmnnm 
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The analyst then did an HTTP activity query to 
find all web surfing from that IP address within 
the same rough timeframe. 



0 Classic A-M 
^ Alert 
BlackBerry 
CNE 

^ Call Logs 
^ Category DNI 
Cellular DNI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 



Search: HTTP Activity 

Query Name: 

justification : 



1 4_may_activity 



F'K based IP address used by CT 
tar get 



Datetime: 



Gusto in 



Start; 



2009-05-14 



□ 



13:30 



Stop 



20Q9-Q5-14 



□ 



14:15 






HTTP Activity 
IKE Parser 
=E] IRC Cafe Geolocation 
^ Logins and Passwords 
Microplugin Metadata 



IP Address 
IP Address 
Port 
Port 







Either w 






— 1 
Q 

£ 






From v 






— 1 
Q 

1 





r - ' I i h I 7 
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J | yj f 



14 Mak 



TOP SECRET//COMINT//RELTO USA, AUS T CAN, GBR, NZL 

Strange HTTP Activity 




P meta-data indicated strange web-based 



activity 



Host 


URL Path 


inf osei vice.inf .tu-<li e«<leiwk inixciretad«stTtu&fJ0WSFCD7IBWWC B 5FEFD 


infos-eririce.inf.tu-flrestlseii.clie 


linfoservices 




Browser 




KPT-HTTPCIieirt.'0.4-dev 




RPT-HTTPCMen1,0.4-(leu 


GET tacascadestatus/F30905FCD73B6B30CB5FEFD3250FD66EF4B32591 HTTP/1. 1 


Host; 


info service. ir£tu- dresden.de 


Connection: 


Keep-Alive, TE 


TE: trailers, deflate, gzip, compress 


User- Agent: 


BPT-HTTP Client/0. 4- dev 


Cache -Control: 


no-cache 


Pragma: 


no -cache 
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Strange HTTP Activity 



Indications from the HTTP activity 



Browser 




EPT-HTTFClieilt 




RPT-HTTPCIieiTt/fl.4-cleu 





Note the strange User Agent/Browser 



GET /mixcascadestatusyE30905FCD73B6B30CB5FEFD3250FD66EF4B32591 HTTP/1.1 



Host: 


ir£b s e n/ic e . ir£ tu - dr e s d en . d e 


Connection: 


Keep- Alive, TE 


TR- 


trail ftffi &7m rampnpf^ 




| User- Agent: 


EPT-HTIP Client/0 . 4 - dev J 


Cache -Control: 


no-cache 


Pr sigma: 


no-cache 
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jo I > Of 
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j ^ 



Tip off to possible anonymizer 




Open Source research indicated that this user 



agent was indicative of multi-cast traffic. 



fi 



likely tip off that this was some type of 



anonymizer 



Browser 




RPT-HTTPCIieiitJ0.4-tletf 




RPT-HTTPCIieilti 




'O.l-flev 

J 





GET /m]xcascadestatiis/F30905FCD73B6B30CB5FEFD3250FD66EF4B32591 —1.1 



Host: 


infoservice.inEtu-dresden.de 


Connection: 


Keep-AJive, TF 


TR- 


trailers deflate pzio romwess 


[User -Agent: 


FT 1 T -HTTP Cli ent/ 0 . 4 - d e v | 


Cache -Control: 


no-cache 


Pragma: 


no-cache 
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The two tu-dresden.de requests were the only 
HTTP activity seen within that timeframe, but 
given the open source research suggesting that 
the user agent was an anoynmizing proxy a full 
log query was ran to identify all other traffic 
originating from that same IP address during 
the same time 



Datetime End 
2009-05-1413:47:33 



Fm IP 
119 | 



2M9-05-1 4 13:48:07 119 



Host 


URL Path 


iiifoseririce.inf.tu-slrestlen.cle 


JYni]ccasicadestatusyF3;fl9ffl5FCD73;B6B30CB5FEFI>325ffiFD!6fiEF4B3;25S1 


infosertfice.inf.iuilrestleii.de 


Moservices 
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Full Log Results 











Datetime End 


Fm IP 


To IP 


Fm Per To Pc Application Type 



1-14 13:47 
2009-05-1413:48:07 
2009-05-14 13:48:07 
05-1413:48:35 
05-1413:49:02 



ri -i 



119 



119. 




£ 5.5 
141 . 
141. 
141. 







1502 443 nuetworkjencryirtion 

1 494 80 web 

1134 8544 unknown 

1134 8544 unknown 




Application 

http/get 

network jmci^>tion;lrtt|>$ 
http/get 

unknown /tcp 
unknown /tcp 




Note the two HTTP activity (port 80) sessions were 
seen, but in addition there was one SSL (port 443) 
session and two unknown port 6544 sessions 
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Full Log Results 



Fm IP To IP Fm Por To Pc Application Type Application 

119^^^^^| 1134 6544 unknown urih;nown.fc|> 

1 1 141.^^^H 1134 6544 unknown unluiown.-tci:- 




Data Length Session Length 
6936 73*3 

*3*83 93961 



Of the unknown port 6544 traffic, the data length 
of the sessions indicated that a significant amount 
of data was leaving the Pakistan IP used by our 
target 
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Full Log Results 



/ 




The content appeared unreadable. Further 
analysis by CES and open source research 
showed that the content was encrypted 



DNI Display 


Raw Data 


DM Format 






Services 


^7 





No presentation available for this type of data. Try sending it to another service for a better view. Below is an attempt to 
display the document as plain text. 



I ❖ 1 +^MI I a [kF"-$A A 

l^il 

P & & $ v# a^t dVq £ ' a ❖ t ^ ^T_7«£ ^ ❖ VZ ❖ J ❖ v < ❖ ❖ ~X^ ; ❖ ❖bbnTT^ ❖TJC ❖ r 

11 O ] -£ 

e. s^FBnA^^S^«<^m^h«sO^E^Ag/^-\^_ 5^i6\ ? ^piZ^^/ ^ 

} & G j E / 4~ ^qs GX,j j ^ ^ J ^ Q , 14 

[S^hzU7^ 

Xl . X^k c Ys ^ 1 ❖ ! / tfvfc ❖ ❖ ❖ C ❖ 5 + X ! V ^ Yp & ❖ g 0 

^ ^ ^ H6Kk ^ 1 ^ ^ 1 , _"X^TJ2 V-X^ 4 ^ ^ 2 G^ 1 $ $ <!>• & & 

^1 ❖❖❖Z^Y’fr" f^q^:^d^EA^: ^g^ky^^Z^G^ [ 1 Sc^A I 

[^4+6^-^ [^oswg4*_a^£h M ^#+^^=^is^-£+ir^ " I ) 

+ $"fr$<fr0€”fr<e»fr_^5 =❖❖❖❖<❖ ^/^HXd^M^^k^ttH. ❖ i j t-fr'M 

S 11 ❖O 1 ^r 0^5 +■ b f ■ ^o ❖❖ ] - 

"bz^4^ j 6«^i4^G_ ❖k^^Sa^SO^l^^l^-f 

❖t f gV^-t ^P ❖ ❖? i 0/ ❖Ox- ^2 ❖le ❖❖ ^5^ ^DN^i ^=p 6I>^ % o ❖❖❖ ❖ ❖ ' ^ ❖ $■? 7 ( vVE IX- 

P 
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HTTP Results led to Full Log Query 





While we were ultimately unable to identify what 
was underneath the 150K of encrypted traffic, 
we were at the least able to identify that our 
target was using an anonymizing service to 
mask a portion of his Internet activity 

SERI SERIAL: * 3/00/513109-09 

German Anonymising Proxy (TS//SI/REL TO USA, FVET) 

(T5//SI// QC/REL TQ US A, F VE Y ) During the 11, 16, and IS Hay 
sessions on the telephone, the user [s) were using a free 

Ge r man - b a s e d an o nym i z i ng proxy 

(http://infQservice.inf.tu-dresd.en.de), presumably to mash the 
source of Internet traffic. Use of the amonymisiSg proxy occurred 
primarily during the times in which s 

m|[ : hot ;raai i . com and yahoo . com accounts were accessed. 

COMMENT : [ TS// S 1/ / OC/ REL TO USA, FVEY) The German -based 

proxy is a Java Anonymous Proxy (JAP) , which was developed 
by the Technical University of Dresden as a free and open 
source anonymity tool. The proxy functions in a manner 
similar to The Onion Router (TOR) network. Given his 
background in computer science and networking, it is not 
surprising that would use an anonymising proxy to 

secure his Internet activity. 
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If the Full Log query gave us the HTTP traffic in 
addition to the other non web based traffic, why 
don’t we only use the Full Log query? 



- Because the meta-data options in the full log table 
are limited 



Datetime End M 


Fm IP 


To IP 


Fm Por 


To Pc Application Type 



2009-05-14 13:43:17 
2009-05-1413:43:07 
•05-14 13:40:35 
■05-14 13:40:02 



Application 




http/get 

1502 443 network_enciyi}tion netwQrk_eneryptionJTrtt|is 



1 494 80 web 

1134 $544 unknown 

1134 0544 unknown 



http/get 

unk no wn/tcp 
link no wn tcp 
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Internet session of an Iran based target 



TST 

20090520 092139Z 
20090520 092 139Z 
20090520 092130Z 
20090520 Q92130Z 



USERID PHONE USER_A ACTIWTi' TJ SFR B COOKIE 




yaho o > logge d in (email) 213. 
ya ho p > used sfonp 192. 
yahoo> logged in (email) 213. 
yahoo> usedsforip 192. 




fiiqS af| 4q5kj t<yaho oB c: o okie > 
fuqS afl ■ 4q5kj t<y alio oB c o okie > 
fiiq8 af 1 4q5kjt<yaho cE c o okie > 
fijqS af 1 1 4q5kj t<yaho oB c b okie > 
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The analyst then did a full log query based off 
the IP & X-Forwarded-IP pair 



0 Q Classic A-M 

g ASF and WMV Metadata 
g Alert 
gBIackBerry 
gCNE 
g Call Logs 
g Category Dhll 
g Cellular DIMI 



g Cisco Passwords 



j=| DNS 



g Document Metadata 



g Document Tagging 



g Email Addresses 



g Extracted Files 



S|Full Log DNI 
§ HTTP Activity 



g IKE Parser 



giRC Cafe Geolocation 



g Logins and Passwords 
g Microplugin Metadata 



Search: Full Log 



Query Name: 



i ran _target 



Justifi cation: 



Iranian IP Address used by cyber 

target 



Datetime: 



Custom 



Start: 



2009-05-20 


a 


09:00 





Stop: 



2009-05-20 


□ 


11:00 


a 

■v 






Client IP (X-Fo warded -For): 

Username: 



Attribute Info: 



f Field Builder l 



IP Address: 
IP Address: 



213. 






From 








To 


v 
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Example #2 




Full Log table contains the standard DNI meta-data 
with some but not all information from other plug-ins 
included (ie. Username from User Activity and 
Application Info contains some HTTP activity) 



Appli cation Into 


Username 


Fm 1 


Fm City ( 


To 0 


To City (IP) 


Dsietime ^ 


Dsrtetime End 


Fm IP 


To IP 


Fm Por 


To pJ 


1 itt|>: . li| Hlat e. 1 ) ai.c friii.-Pr# 1 1 u cts . C c 




IR 


TEHRAN 


US 


NEWYORK 


2*09-05-20 14:05:1* 


24*9-05-2* 10:*9:1* 




7 --HH 


34S4T 


SO 



litt 
litt 
litt 
Irtt 
litt 
litt 
litt 
litt 
I in 
litt 
litt 
litt 
litt 
litt 
litt 



i :W| >1 atf c 1 1 n. Ah .f m e b o o k . cam /V 
Ktfj >1 atf o i ii'i.-iit: .file ebook, com /v 
vl ntf o muLfiK ebook, com / v 
yJh lew s rss.bht.c o .1 ik iss.i le w 
j. start i c.ak.f liccli 1. 1 1 et, i n b oh li 
rJi] >. st at i c.ak.f bttti i. i 1 et/r c .|>li 
A atf o r m. iLfiic ebook, com to 
? I lotos-tEak -fl>« d n , n ot i j I iot« 
>:.v| >1 lattt-s-d.ak .f Ik d n . n et 1 > I iot« 
>: ■■I j. srtarti c.ak.f licdi 1. n et,'l n b oh ii 
i:fj'b. 5 tatic.ak.flicflii.net, | lmagee 
yJi\ v. st at i c.ak.f licdi 1. net, 'Images 
vJi\ >. st at i c .,il: .f licdi 1. 1 i et i mages 
I >. st at i c.ak.f hoc Ii 1. 1 1 et i n b oh ,ii 
lew s rs&.bhc.c o .1 ik /rss/i le w 





ij^gmaiLcoi IR 

©gmail.cui IR 
@gmail.coi IR 

IR 
IR 
IR 

i^jmiiil.coi IR 

IR 
IR 
IR 
IR 
IR 
IR 
IR 
IR 



TEHRAN DE FRANKFURT 
TEHRAN DE FRAIIKFURT 
TEHRAII DE FRAIIKFURT 
TEHRAII GB LONDON 
TEHRAII DE FRAIIKFURT 
TEHRAN DE FRAIIKFURT 
TEHRAII DE FRAIIKFURT 



2*09-05-20 14:06:54 20*9-05-2* 10:10:1* 

?**9_05-?0 14:06:54 24*9-05-2* 10:10:1* 

2*09-05-20 10:06:54 20*9-05-2* 10:10:1* 

2**9-05-20 14:07:43 24*9-05-2* 10:*7:54 

2*09-05-20 14:08:31 24*9-05-2* 10:11:33 

2*09-05-20 14:08:31 24*9-05-2* 10:*9:5T 

2*09-05-20 14:09:39 24*9-05-2* 10:12:12 

TEHRAN ML AMSTERDAM 2*09 05 20 14:09:5* 24*9-05-2* 14:12:45 

TEHRAN ML AMSTERDAM 2*09 05 20 14:09:5* 24*9-05-2* 14:12:45 

TEHRAN DE FRAIIKFURT 2*09-05-20 14:09:57 20*9-05-2* 10:10:0* 

2*09-05-2* 14:09:57 24*9-05-2* 10:10:0* 

2**9-05-20 14:09:57 24*9-05-2* 10:10:09 

2*09-05-70 14:1 0:4* 2**9-05-2* 10:12:09 

2**9-05-20 14:10:4* 24*9-05-2* 10:12:09 

2**9-05-70 14:16:12 24*9-05-24 10:10:24 



TEHRAN DE FRAIIKFURT 
TEHRAN DE FRAIIKFURT 
TEHRAN DE FRAIIKFURT 
TEHRAN DE FRAIIKFURT 
TEHRAN GB LONDON 



42S*6 SO 
42S*6 SO 
42S*6 SO 
37459 SO 
41492 SO 
41*92 SO 
49*45 SO 
41*96 SO 
41*96 SO 
344*0 SO 
344*0 SO 
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Forwarded-For IP pair was representing a single 
computer or if there were multiple users on multiple 
computers in this data. 

Full log only provides the bare minimum meta-data to 
make this determination 



ID 


Datetime ^ 


Application Info 


70 


2009-05-20 10:21:45 


http:Mjs.mg1 .mail.yahoo.com/dc^s?log=ArtiYityMaxldleTime:Higha&.gx=1/login_webmail 


61 


2009-05 -20 10:22:17 


hittp:mchaiiriel31.faceli«5ok.com/X.<3O2322757O^lse^_14O656535O=Ojlo0iii_webmail 



Fm IP 

213.1 




To IP 


Fm Port 


To Pc 


Application Type 


Application 


Data Length 


Session Length 


209191 1 0S 109 


55323 


80 


mail 


m ail/w ebrna i 1 lyah o □ 


1446 


1968 


69.63.176.213 


55435 


80 


social 


soctalfacehook 


3402 


3922 
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MARINA provided this information: 







TS A 

20090520 102145Z 
20090520 102145Z 
20090520 102145Z 

20090520 102217Z 
20090520 102217Z 
20090520 102217Z 



USERID RHONE USER A 



ACTIVITY 



USER B 




'yahoo > previously logge d in 213 



<yahoo> previously logged m 213 




COOKIE 

fuqS afl 4 qSkjt^yaho oB c o okie> 
fu q8 afl 4 q5kjt<yaho oB c o okie> 



213,^^^^^| used edkiip 192.168,36,1 £uq8afl4q5kjt<yahoc-Bcookie> 

facebook> used xforip 192. 168.36. 1 

facebook> registered with aJgjnaE com^oogje 5 * 

^^^^^^^|<facebook> logged in (forum) 



The Yahoo and Facebook activity came from the same 
proxy IP and the same X-Forwarded-For-IP and 
around the same time but was it from the same 
computer? 
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HTTP Activity Query 




Let’s query that same date time range an 
and XFF IP pair in the HTTP Activity query to 
see what we get 



0 Classic A-M 
^ Alert 
BlackBerry 
CNE 

^ Call Logs 
^ Category DNI 
Cellular DNI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 



Search: HTTP Activity 



Query Name: iran_target_http 



Justifi cation: 



Iranian IP address used by MTOC 
tar get 



Datetime: 



Custom 



Start; 



2009 - 05-14 



□ 



13:30 



Stop; 



2009 - 05-14 



□ 



14 ; 15 



m 



X Forwarded For: 

IP Address: 
IP Address : 



1 92.1 G 8 .36.1 



213 



Froiri 


V 




To 


V 



HTTP Activity 
IKE Parser 
=E1 IRC Cafe Geolocation 
Logins and Passwords 
Trj Microplugin Metadata 



r - ' I i h I 7 
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run i 



i I 111 



Now view the HTTP Activity results 




We saw this meta-data in the Full Log results 



ID 


Datetime 


Application Info 


70 


2009-05-2010:21:45 


http: //us mgl .mail yahoo com/dc/t s?log= Activity k'1axldleTime:High&S gx=1 /login_webmail 


61 


20(09-05-2(1 10:22:17 


htt|>:. , . , 0.difiiinel31.ffictl>ook.c<>iit. , y. , '3023227576.Tal5«/p1406565350=0.1oyiiiVi(el)iiif)il 





Fm IP 


To IP 


Fm Port 


To Pc 



Application Type 



Application 




55828 30 

55435 90 



Dafta Length Session Length 



mail 

social 



mai I /web mail /y a h o o 
social.fac ebook 



1446 

3402 



1968 

3922 



And then these three fields are among the 
unique (and valuable) fields only found in the 
HTTP activity table: 



Cookie 




Referer 



Browser 



fpwidth=165&suc=j http://Us.mg1 .moil.yahoo.com/do/launc Mozilla/S.O (Windows; U; Windows NT 5.1; en-US; rv:1 .9.0.10 



datr=1 2421 09330-dc7046de296a31363cbe210f6 http: /.'Ochanne 131 .1acebook.com/lfrarT Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1 .9.0.1 0 






TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 





Of interest, note the differences between the 
two user agents 



Browser 




Mozilla/5.0 (Windows; U; 


Windows NT 5.1; 


sn-US; rv:1 .9.0.10) Gecko/200904231 6 Firefox/3.0.10 


Mozilla/5.0 (Windows; U; 


Windows NT 5.2; 


sn-US; rv:1 .9.0.10) Gecko/200904231 6 Firefox/3.0.1 0 



This indicates different versions of Windows, so 



unless they did an upgrade within the 1 minute 
difference of activity, there were at least two 
different computers behind that Proxy and XFF 
IP pair 
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You should be use both the HTTP activity and 
Full Log queries to help discover everything 
your target does when he’s online 

HTTP Activity will give you great meta-data for 
quick analysis of “web-based” (port 80) activity 

But not all DNI is done through an Internet 
Browsers, so it’s important to look at the Full 
Log query results for indications of the use of 
other applications 



TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 





The Multi-Search page gives you the ability to search full log and 
HTTP activity based on an IP address at the same time 



E Sj Search 
E Si Classic 
El Si Multi Search 



C 



IP Addresses 



Mac Address 
1^1 Username 
0 S Classic A-M 
[J] Alert 
^ Black Berry 



£CNE 
SI Call Legs 
=E Category DNI 
S Cellular DNI 
Cisco Passwords 
DNS 

Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DNI 
HTTP Activity 
IKE Parser 



^3 IRC Cafe Ceo location 
Logins and Passwords 
S Micro plugin Metadata 



Simply enter in an IP address, choose any or all 
“roles” (ie. from/to/xff) and then choose what 
search forms you want. 



IP Address: 

IP Role: 

0 X-Fomarded-For 



0 From 
0 To 



Search 




User Activity 

Phone Number Extractor 

Email Addresses 


Forms 




Extracted Files 


Clear 




HTTP Activity 




V 


Full Log 
Web Proxy 
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It will submit the multiple searches at the same time, you can 
either view the results separately or view them as a merged 
table 



My Recent Results 




Help Actions T View T 


] FILTERS: 7 * 


Datetime Submitted g 


Query Name 


Status 


Num Results 


Query Type 


n 


2009-06-0814:33:40 ok Id 16 mav finished 605 full loa 


n 


2009-06-00 1 4:33:40 ok ip 16 mav finished 475 http parser 
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